rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   cdcf699b901010b237a24e3c6e0faded109e0291
  2.   SOURCES
  3.   0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch
Blob History Raw
097621 
From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001
097621 
From: Alexander Bokovoy <abokovoy@redhat.com>
097621 
Date: Tue, 23 Aug 2022 16:58:07 +0300
097621 
Subject: [PATCH] fix canonicalization issue in Web UI
097621
097621 
When Kerberos principal alias is used to login to a Web UI, we end up
097621 
with a request that is authenticated by a ticket issued in the alias
097621 
name but metadata processed for the canonical user name. This confuses
097621 
RPC layer of Web UI code and causes infinite loop to reload the page.
097621
097621 
Fix it by doing two things:
097621
097621 
 - force use of canonicalization of an enterprise principal on server
097621 
   side, not just specifying that the principal is an enterprise one;
097621
097621 
 - recognize that a principal in the whoami()-returned object can have
097621 
   aliases and the principal returned by the server in the JSON response
097621 
   may be one of those aliases.
097621
097621 
Fixes: https://pagure.io/freeipa/issue/9226
097621
097621 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
097621 
Reviewed-By: Armando Neto <abiagion@redhat.com>
097621 
---
097621 
 install/ui/src/freeipa/ipa.js | 8 +++++++-
097621 
 ipaserver/rpcserver.py        | 1 +
097621 
 2 files changed, 8 insertions(+), 1 deletion(-)
097621
097621 
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
097621 
index 758db1b00..a08d632e9 100644
097621 
--- a/install/ui/src/freeipa/ipa.js
097621 
+++ b/install/ui/src/freeipa/ipa.js
097621 
@@ -271,7 +271,13 @@ var IPA = function () {
097621 
                             var cn = that.whoami.data.krbcanonicalname;
097621 
                             if (cn) that.principal = cn[0];
097621 
                             if (!that.principal) {
097621 
-                                that.principal = that.whoami.data.krbprincipalname[0];
097621 
+                                var principal = data.principal;
097621 
+                                var idx = that.whoami.data.krbprincipalname.indexOf(principal);
097621 
+                                if (idx > -1) {
097621 
+                                    that.principal = principal;
097621 
+                                } else {
097621 
+                                    that.principal = that.whoami.data.krbprincipalname[0];
097621 
+                                }
097621 
                             }
097621 
                         } else if (entity === 'idoverrideuser') {
097621 
                             that.principal = that.whoami.data.ipaoriginaluid[0];
097621 
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
097621 
index 1f85e9898..4e8a08b66 100644
097621 
--- a/ipaserver/rpcserver.py
097621 
+++ b/ipaserver/rpcserver.py
097621 
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
097621 
                 ccache_name,
097621 
                 armor_ccache_name=armor_path,
097621 
                 enterprise=True,
097621 
+                canonicalize=True,
097621 
                 lifetime=self.api.env.kinit_lifetime)
097621
097621 
             if armor_path:
097621 
--
097621 
2.37.3
097621

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation